This guide is all about how to become an ethical hacker. It includes detailed information on the role an ethical hacker plays, some of the skills and experience necessary to become an ethical hacker, and strategies for landing a job as an ethical hacker.
Historically, defensive and offensive cybersecurity pursuits have been described using the monikers of whitehat hackers and blackhat hackers respectively. These nicknames were used to distinguish the good guys from the bad guys. While both of these terms are still commonly used, at least one of them may not be adequately descriptive of the various roles found in today’s modern cybersecurity ecosystem.
Although a blackhat hacker is still just the bad guy, the good guys are now better described using expressions such as red team, blue team, purple team, ethical hacker, and penetration tester. More specifically, red teams provide offensive security services and blue teams provide defensive services. Purple, being the combination of red and blue, identifies those teams that provide some of each flavor of security service.
The term ethical hacker includes all security professionals that provide offensive services, whether red team, pentester, or freelance offensive consultant.
While there are some subtle technical differences, say between the services provided by an independent offensive cybersecurity consultant and an in-house pentester, for this guide these various names for ethical hackers are used interchangeably.
An ethical hacker’s primary purpose is to view security from the adversary’s perspective in an effort to find vulnerabilities that could be exploited by bad actors. This provides defensive teams the opportunity to mitigate by devising a patch before a real attack can occur. This objective is served by executing simulated cyberattacks in a controlled environment.
While much of the value that an ethical hacker provides is related to testing security controls and devices for perimeter penetration vulnerabilities, they also look more broadly for weaknesses that can be exploited deep within a network or application such as data exfiltration vulnerabilities.
Role of an ethical hacker
Ethical hackers can be independent freelance consultants, employed by a firm that specializes in simulated offensive cybersecurity services, or they can be an in-house employee protecting a company’s website or apps.
Knowledge of current attack methods and tools is a requirement across these employment options, however, the in-house ethical hacker may be required to have an intimate knowledge of only a single software or digital asset type.
Conversely, a benefit that an external ethical hacker may provide is a fresh set of eyes to identify vulnerabilities that may be overlooked by the internal team. Even organizations that employ an internal red team may occasionally contract an external ethical hacker to provide this fresh look at their defenses.
For any external offensive security service provider, it is especially important to obtain written permission from the client before beginning any offensive activities. This permission should detail the systems, networks, applications, and web sites that will be included in the simulated attack. Do not increase the scope of the service without additional written permission to do so.
In keeping with the industry’s use of colors to delineate between various cybersecurity roles and functions, there are white-box, black-box, and gray-box ethical hacker engagements. A white-box engagement is when the security professional is given as much information about the target system and application as is possible. This allows the simulated attack to go wide and deep very quickly looking for vulnerabilities that it would take a real bad actor a very long time to uncover.
Conversely, a black-box engagement is when no insider information is given to the ethical hacker. This more closely reflects the circumstances of a real attack and can provide valuable insight into what a real attack vector may look like. As the name implies, a gray-box engagement then denotes the simulation of an attack where the attacker has already penetrated the perimeter and may have spent some time inside the system or application.
Many firms enlist the help of all three engagement types in conjunction with both in-house and external ethical hackers. This variation of applied knowledge can provide the best view of what protections must be deployed but is also much more expensive to undertake.
Possessing ethical hacker skills and knowledge is helpful for many other security roles.
The skills required to become an ethical hacker
While there are plenty of anecdotal stories of blackhat hackers being converted to be whitehats in a bygone era, the most important requirement for becoming a successful ethical hacker today is to have, as is found in the name, high ethical standards. Ethics are what separate the good guys from the bad guys. There are plenty of blackhat hackers that have adequate technical skills to be an ethical hacker, but they lack the discipline of character to do the right thing regardless of the perceived benefits of doing otherwise.
A history of cybercrime poses an unacceptable risk for a member of a cybersecurity team. For a large organization with an astute legal team, this type of risk would represent a nonstarter. A word to the wise then is, when looking for work as an ethical hacker, a resume that includes any work that even smells of unauthorized work or unethical behavior is a fast way to be disqualified. While people can certainly change over time, most employers accept that developing a set of ethical life-guiding standards is much more involved than just desiring a career change.
Second to having the “ethical” part of this colloquial nickname covered is the need to have the “hacker” part covered as well. A candidate for an ethical hacker job must be able to demonstrate advanced cybersecurity technical skills. The ability to recommend mitigation and remediation strategies are a part of the desired experience.
Strong coding skills are essential and direct, manual, and hands-on attack methods must be clearly understood and demonstrated. In short, an ethical hacker should have defended so many assets over their career that imitating and then thinking a few steps ahead of the adversary comes almost as second nature.
Above and beyond good ethics and strong technical skills is a special mix of creative and analytical thinking. Ethica hackers need to be able to think like the adversary. They must understand what motivates the bad actors and be able to estimate how much time and effort the blackhat may be willing to apply toward any specific target. To do this, the pentester must understand the value of the data and systems they protect.
Ethical hacker certifications and education
EC-Council describes their CEH certification is these terms: “A Certified Ethical Hacker is a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective.”
Any number of other cybersecurity professional certifications offered by EC-Council will lend themselves toward becoming more hireable as an ethical hacker.
Offensive Security describes their OSCP certification, saying “The OSCP examination consists of a virtual network containing targets of varying configurations and operating systems. At the start of the exam, the student receives the exam and connectivity instructions for an isolated exam network that they have no prior knowledge or exposure to.
The successful examinee will demonstrate their ability to research the network (information gathering), identify any vulnerabilities and successfully execute attacks. This often includes modifying exploit code with the goal to compromise the systems and gain administrative access.
The candidate is expected to submit a comprehensive penetration test report, containing in-depth notes and screenshots detailing their findings. Points are awarded for each compromised host, based on their difficulty and level of access obtained.”
A bachelor’s degree in a computer-related field is a good place to start your career. Computer science or network engineering education provides a recommended foundation for work in the security field. When considering a bachelor’s program in the field of cybersecurity give priority to programs with a strong interdisciplinary focus.
Good programs will emphasize computer engineering, computer science, and business management skills. Look for programs that include courses in technical writing and legal issues surrounding technology and ethics. The best cybersecurity professionals are well-rounded individuals who can see their field through a wide-angle lens.
Even with a degree and a professional certification or two, self-study is needed to keep up on current attack methods and offensive strategies. A home lab can be very useful. Youtube videos, internet groups and forums, and social media posts and exchanges are all methods used by successful ethical hackers to keep their edge over blackhat hacker.
How to get experience as an ethical hacker
Experience with vulnerability testing tools, such as Metasploit, Netsparker, and OpenVAS, is very helpful for ethical hackers. These tools and there are many more of them, are designed to save time when searching for known vulnerabilities. These or similar tools may provide a useful framework for vulnerability scanning and management but should represent only the starting point for an experienced ethical hacker. Manual simulated attacks must be directed toward the target as well. Knowledge and experience related to how these attacks are performed are essential.
The path to finding work as an ethical hacker will almost invariably pass through many years as a member of a security team providing defensive security services.
Helpful experience extends beyond past IT security work. Social engineering and physical penetration tests are also applicable skills. Many attacks begin with intel gathered using an extended social engineering campaign. Knowledge of social engineering strategies and tactics can be very helpful in understanding the entire threatscape.
Physical breaches to a server room or data center will also sometimes precede a digital attack. An understanding of what physical assets are vulnerable will help an ethical hacker identify the types and methods that are likely to be used in a real event.
Cybercriminals must become evermore innovative as security professionals deny them the use of their previous methods and tactics. Physical attacks, including the use of drones to sniff out unprotected networks, are becoming more frequently employed to gather intel and initiate cyberattacks. An ethical hacker must anticipate and simulate the use of traditional and non-traditional attack vectors to provide the most comprehensive threat analysis possible.
Typical work assignments for an ethical hacker include threat modeling, security assessments, vulnerability threat assessments (VTA), and report writing. Assuredly the responsibilities of this role will vary from company to company but these staples will nearly always be included in the job description.
Threat modeling is a process used to optimize network security by identifying vulnerabilities and then determining countermeasures to prevent an attack or mitigate the effects of an attack against the system. In the context of threat modeling, a threat is a potential or actual adverse event that may be malicious (such as a denial-of-service attack) or incidental (such as the failure of computer hardware), and that can compromise the assets of the enterprise. An ethical hacker would contribute to this process by providing a comprehensive view of the possible malicious attacks and their resultant consequences for the organization.
The objective of effective threat modeling is to conclude where the greatest focus should be to keep a system secure. This can change as new circumstances develop and become known, applications are added, removed, or improved, and user demands unfold. Threat modeling is an iterative process that consists of defining assets, recognizing what each application does with respect to these assets, creating a security profile for each application, identifying potential threats, prioritizing potential threats, and documenting adverse events and the actions taken in each case.
The ethical hacker’s role is imperative in that it allows the threat modeling to remain theoretical rather than post mortem after an actual attack.
An ethical hacker, whether a pentester or a red team leader, will often be assigned the task of providing a security assessment. Simply put, an information security assessment is a risk-based measurement of the security posture of a system or enterprise. Security assessments are periodic exercises that test an organization’s security preparedness. They include checks for vulnerabilities related to the IT systems and business processes, as well as recommending steps to lower the risk of future attacks.
Security assessments are also useful for determining how well security-related policies are adhered to. They help to shore up policies designed to prevent social engineering and can identify the need for additional or enhanced security training. Culminating in a report that identifies weaknesses and makes recommendations, the security assessment is an invaluable risk management tool.
Vulnerability threat assessment
A vulnerability threat assessment is a process used to identify, quantify, and rank the vulnerabilities relevant to a system along with the threats that could possibly exploit those vulnerabilities. While closely related to a security assessment, the VTA is conducted to identify and correlate specific threats and vulnerabilities. The basic security assessment, described above, is used to identify vulnerabilities and evaluate the security posture of the enterprise independent of any specific threat. The VTA is a more threat-based assessment.
Examples of systems for which vulnerability threat assessments should be performed include, but are not limited to, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems. Such assessments may be conducted on behalf of a range of different organizations, from small businesses up to large regional or national infrastructure entities. Each of these system types and/or enterprises will require someone in an ethical hacker role to perform the VTA.
A crucial element for carrying out the assignments of an ethical hacker is the ability to write clear and concise professional reports. Gathering data, identifying vulnerabilities, and correlating threats are of little value if the appropriate information can not be articulated to risk management leaders. Reports submitted from the red team are often the impetus for significant security resource expenditures. Risk management professionals need to have total confidence in the findings of ethical hackers in their organization. In some cases, an ethical hacker will be an outside consultant retained by a firm to provide the information needed to justify security expenditures for upper management or board of directors. In the world of security consulting, the report is the primary deliverable and is of the utmost importance.
When considering possible professional certifications and educational opportunities to elevate a career to include ethical hacking, do not underestimate the importance of business writing expertise. The ability to produce a well-written report will boost an individual’s career over an otherwise equally qualified peer.
Ethical hacking in review
Being a member of an in-house red team or working as a freelance whitehat hacker are exciting vocations. As far as operations level positions go, they are highly sought after positions that can engender a level of respect and provide a degree of prestige within the cybersecurity community. Ethical hacker jobs are necessary for the effective protection of networks, systems, and applications. This expertise is required throughout national infrastructure entities and to secure critical or sensitive data across all industries.
For many, the term ethical hacker is an oxymoron. It indicates two opposing notions. One is that of high ethical standards and the other that of “hacking” which is usually associated with nefarious activity.
Regardless of whether or not the word hacker is used in the job description, these jobs are not for the morally questionable and certainly not for anyone who has a history of being a bad actor. Ethical hackers are necessarily privy to sensitive information, the divulging of which could be catastrophic for the enterprise. A security clearance is often required for government employees and government contractors. Obtaining a security clearance will include a background investigation and an examination of financial and social media data.
With the relatively rare exception of the independent freelance offensive cybersecurity consultant, ethical hackers normally work as part of a team. If on a red team the other team members will be like-skilled ethical hackers or pen-testers and the team will be part of the overall security department. In a smaller organization, the ethical hacker may be the only person with an offensive role, but will invariably be a part of a larger security team. The ability to work well with other team members and to communicate effectively is critical to success. An ethical hacker is not the stereotypical hoodie-wearing young person working out of his parent’s basement – that decided to trade their black hat in for a white one. She is more often an educated, experienced, skilled, and articulate professional that is dedicated to making the world a safer place to live and work.
While history may provide examples of self-taught gritty individualists pulling themselves up by their digital bootstraps to the pinnacle of cybersecurity ops, an education with a minimum of a bachelor’s degree, combined with one or more specialized professional certifications, is the standard for ethical hackers. Years of mettle-proving experience in software development and/or more traditional defensive security roles is not at all unusual for successful ethical hackers.